Snort mailing list archives
Re: Snort + ipchains
From: Guillaume <guillaume () anteria fr>
Date: Sat, 01 Dec 2001 22:12:59 +0100 (CET)
En réponse à John Sage <jsage () finchhaven com>:
Guillaume: It's interesting to note that the HOW-TO doesn't even mention -o except in a crossreference to ipfwadm commands. man ipchains says "Copy matching packets to the user space device..." I've never used it; hardly knew it existed. What exactly are you hoping to accomplish?
I would like to capture rejected/denyied packets in raw binary format for a kind of forensic analysis, in seek of new attacks tracks. For that, ipchains logs are not enough. All I can do is suspecting these packets just because they were rejected by ipchains... My thought is capturing all that and perform snort or any other network utility post-analysis. The hardest part being that, if ipchains and snort are up to date, no signature or rule will match captured traffic... But the goal is to write new ones. Guillaume *********************************** Sent with HORDE/IMP (www.horde.org) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)